Can Java/Javascripts/Cookies reveal real ip behind VPN?

Discussion in 'privacy technology' started by dagger, Apr 30, 2007.

Thread Status:
Not open for further replies.
  1. dagger

    dagger Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    17
    Can having any of these turned on reveal your actual IP address behind a vpn? If anyone knows a sight where this can be tested lmk, thanks.
     
  2. dagger

    dagger Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    17
    No one can answer this question?
     
  3. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    It's been asked and answered before. Forum search is your friend...
     
  4. dagger

    dagger Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    17
    Thanks but that thread has nothing to do with my question. I don't use proxies.
     
  5. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    VPN = proxy accessed via an encrypted connection.
     
  6. hikuela

    hikuela Registered Member

    Joined:
    Jun 4, 2007
    Posts:
    9
    Same question, different poster.

    Search isn't my friend ("The following words are either very common, too long, or too short and were not included in your search : vpn"), and searching for anonymizing emule brings up proxies, which although related to VPN's, are different enough to merit raising the question again.

    From my understanding:
    Proxy = My PC still has the same IP addy (1.2.3.4), but some internet traffic will be forwarded to a proxy (5.6.7.:cool:, which fetches the page from the server (www.google.com), and the proxy returns the page to me. In this example all google knows is that someone at 5.6.7.8 requested a page. However, if google decides to put ActiveX/Java/JavaScript on it's site it can request my real IP address.

    Programs which aren't designed with proxies in mind tend to leak bits of info (no idea, but I'd guess some P2P would contain your real IP address as a return address).

    VPN = your computer forgets it's original IP addy (1.2.3.4), assumes the new IP (5.6.7.:cool: and forwards *all* traffic through it, not just proxy aware software. Anything leaking info should leak the new IP, not the original IP. At least that's how I'd hope it would work.

    www.relakks.com basically operates entirely on the premise that all P2P traffic is completely anonymised when using a VPN, since they basically say 'you are immune to RIAA tracking', it must mean that there is no way eMule traffic would include your original IP addy.

    Otherwise if the another user could find out your real IP what would the point in relakks be?

    My question goes a bit further, I'm fairly confident that a VPN would prevent accident leaks of your real IP address, but would a site actively wanting to monitor you be able expose your real IP.

    I'm not very familiar with scripting, but to get an IP in Java (thanks to google)
    var ip = new java.net.InetAddress.getLocalHost();

    would there be something like (guessing)
    var ip = new java.net.InetAddress.getLocalHost(nonVPN);

    Previously reliable sites have been taken over by the authorities before, I've seen a few piracy websites display the FBI logo and a warning that "your IP has been logged", how resistant to BigBrother is a VPN, and (more importantly) am I correct that using a VPN makes your emule traffic completely anonymous?
     
  7. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    This is correct.
    ActiveX and Java applets can be used to bypass a proxy by attempting to connect directly to the site concerned. This can be blocked using a personal firewall (specifically one configured to allow your browser Internet access via the proxy only) as well as by filtering web pages, only allowing Java/ActiveX from sites that you really trusted (ActiveX can and really should be blocked completely).

    I have not been able to find any way to do this with Javascript alone so this can be allowed if your only concern is with breaking anonymity - Javascript has plenty of other scope for abuse though, and is best blocked by default.
    Programs not designed with proxies cannot be used with proxies as a general rule - the one except is with SOCKS proxy software which is designed to accommodate any network communication (the program in question has to be "SOCKSified" first by being run via software like SocksCap/FreeCap in Windows).
    "Real IP" addresses can only be leaked if the software is actually aware of them - since many users are on broadband with NAT (Network Address Translation - used for sharing a connection between multiple PCs) routers, their computers will not have a "Real" IP address but a private one (typically in the 192.168.x.x range) instead. Programs do not have to include a return IP address themselves since it is included in every packet sent and due to the use of private IP addresses (that then get modified on-the-fly by NAT routers), most won't be aware of the "real" IP address.
    It doesn't in most cases - all that a VPN offers is an encrypted connection to a proxy. The encryption means that the connection itself should be safe from eavesdropping, hence the "virtual private" title. Some VPN software handle this by creating a "virtual network interface" in Windows (one way to ensure that all traffic goes through it) but there is no "forgetting an IP address" involved here - the computer will still have an internal IP and an external one.
    As stated above, the "original" IP address that an eMule client would see would be of no use anyway. However note that there is a big difference between being totally anonymous and "RIAA-proof". Relakks may claim (with some justification) to be able to resist RIAA subpoenas but they are quite capable of tracking users themselves, just as any ISP can. The question is can (or should) you trust them more?
     
  8. hikuela

    hikuela Registered Member

    Joined:
    Jun 4, 2007
    Posts:
    9
    thanks for the information.

    I'm very interested that you haven't found a way to break anonymity using just JavaScript, it would make my surfing a lot easier.

    The VPN stuff has given me a lot to think about.

    I thought that was was a SSH proxy was for?

    So if I set my host firewall to only allow connections to the relakks IP, run a virtual machine, connect the VM to relakks (Virtual NIC) would I be safe from accidental privacy leaks, in theory I couldn't see how the VM would know my ISP assigned IP? In such a situation would it even be possible for ActiveX to leak my realworld IP?

    About some applications not being designed for proxies, wouldn't using a VPN / Virtual NIC make everything behave properly through the proxy? Since running relakks I've not altered eMule's settings to use any proxies (no 'cease and desist' letters yet, but that's hardly a good way to judge privacy).

    Some interesting stuff for me to think over. I really hadn't considered the whole 192.168 issue.

    So normally eMule thinks it has IP address 192.168.*.*, assigned by my router.
    my isp replaces it with 1.2.3.4,
    then relakks replaces it with 83.*.*.*

    Makes sense, easy to logically follow, but I'm still a bit confused, since establishing the VPN (with a virtual network interface) messes with the router.

    1) My computer boots with ip 192.168.*.*, assigned by the router
    2) Connecting to relakks gives me 83.*.*.*, the connection, while obviously traveling through the router, seems untouched by it (a bare net connection, repeated scans on ports 135-139, trojan ports, etc., stuff normally prevented by the router).
    Running eMule it lists its address as 83.*.*.*

    Yet for the packets to actually have an 83.*.*.* address they'd still have to pass through my router and ISP.

    It makes no sense for the packets leave eMule with an 83.*.*.* address, and be replaced with my ISP's address, then replaced again with 83.*.*.* when they reach relakks? I must be missing something.

    I'm confusing myself, I'll think about this more later.
     
  9. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    An SSH proxy gives you an encrypted connection which you have to configure other applications to use. With a VPN, you have an encrypted connection which is (typically) used by default by all applications.
    ActiveX/Java applets don't know your "real" (ISP-assigned) IP address in the first place to leak if you connect via a router. The privacy risk is if such an applet is allowed to connect directly to a site without using your proxy - such a connection would reveal your router's ISP-assigned address to the site concerned.

    Using a firewall to limit your browser to connecting via the proxy application or IP address only (specifics vary depending on what you use - see here for an example with Outpost and Proxomitron/Privoxy/Tor) should take care of ActiveX - Java applets will need rules restricting Javaw.exe. Both ActiveX and Java applets can call external applications also, so some level of process control software (e.g. a firewall with good leaktest performance or a process firewall like System Safety Monitor) can cover such situations, alerting you when your browser calls an external program).

    If you are running a VM (Virtual Machine) though, it may cause issues with some firewalls.
    Virtual NICs should work with almost any application.
    Your PC will have an internal IP address (192.168.x.x) assigned by the router - this is the only address visible to software running on it. Network data sent out then has its source address changed by your router, to its IP address which is assigned by your ISP (e.g. 1.2.3.4). If you have configured your programs to use a proxy, the network packets will be addressed to it (at 83.x.x.x say) and it will act as an agent, forwarding them on and receiving replies.

    The only stage at which addresses are actually modified is by your router.
    Relakks uses PPTP (Point-to-Point Tunneling Protocol) so what happens is that every network packet sent is encrypted, then a new set of network headers (source IP address, destination IP address, etc) added before it is sent - first to your router (which changes the source IP address from 192.168.x.x to the router's address, assigned by your ISP) then to Relakks.

    They strip the headers off, decrypt the packet and handle it like a standard proxy would, sending it off to the intended destination (after modifying its source address, to ensure that Relakks receives the response back). When a reply comes back, Relakks encrypts it and sends it back to your ISP-assigned address, where your router picks it up and passes it back to your PC.

    When you do a port scan with a proxy enabled, the port scan will be of the proxy server not your own router or PC and it will list open ports simply because servers have to have open ports in order to accept connections! If Relakks closed/stealthed their ports, you'd never be able to connect to them. See the Outpost forum FAQ Online Scans - What to do with Open and Closed Ports for more information on this.
     
  10. Jim Verard

    Jim Verard Registered Member

    Joined:
    Jun 5, 2007
    Posts:
    205
    From Steve Topletz, creator of Torpark/XeroBank browser:

    A website that can show you some exploits that can be used to fingerprint and thus track your browsing habits:

    http://gemal.dk/browserspy

    Here is proof of concept for plugin vulnerabilities:

    http://ephemer.al.cl.cam.ac.uk/~sjm217/mediaplayer.html

    Designed by Steven J Murdoch

    I always listen people talk about the same thing:

    The issue is that javascript and java can be used to bypass the connection settings, and thus anonymous proxy settings which would report your true IP.

    All websites used to test Java/Javascript were unable to detect my real IP, while I am using TORPARK browser. The best shot was 127.0.0.1 which is not my real IP, it's "localhost". And one of them (I don't have the URL now) was able to detect the second IP from Torpark browser (I guess the first one is Torpark ISP, and the second one is Torpark). The 3rd one should be my real IP.

    I have the same doubts, never answered. Are these forums and sites safe? Because I always have to allow pages like Wilders Security on NOSCRIPT whitelist. If I don't do that, I can't reply posts or even make a new register. Some scripts remain blocked, but hey, who knows?

    The problem is, we can't get ride of javascript, because is used by so many websites. You can't surf without javascript enabled. It's virtually impossible these days.

    We need to create a list with Javascript functions which can be used to spy out informations which can be used to identify a user's real IP.
     
  11. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    My emphasis added - all the Java-based exploits I have seen have required Javascript also. I have yet to come across any Javascript that can, on its own, cause a browser or external program to initiate a direct network connection.
    I can browse and post here with Javascript disabled (via Proxomitron rather than NoScript though). Have you double-checked that cookies and referers are being allowed? (if you receive an error message about access from an external site, it will be due to referer blocking). Some functionality will be lost without Javascript (the menus at the top and editing options in posts) but nothing essential.
    Hmm...I've been managing this for the last few years. There are certainly some problem sites requiring Javascript but I'd say these come to less than 10%.
    None exist, since for most people connecting via a NAT router, their "real IP" is not visible to any application running locally (only the router-assigned IP address, typically in the 192.168.x.x range). An application would have to connect to a remote system which in turn reports the IP address back in order to find the ISP-assigned IP address. There are some Javascript functions which may indicate the use of a proxy under certain conditions though (e.g. getTimezoneOffset).
     
  12. Jim Verard

    Jim Verard Registered Member

    Joined:
    Jun 5, 2007
    Posts:
    205
    Do you think is very hard that one of these pages may find out your real IP and log this information? All of tests were unable to find out my real IP:

    http://gemal.dk/browserspy
    http://www.showmyip.com
    http://www.whatismyip.com
    http://www.leader.ru/secure/who.html
    http://support.xerobank.com/IPSpy
    http://bcheck.scanit.be/bcheck
    http://www.jasons-toolbox.com/BrowserSecurity
    http://www.privacygrade.com

    The only information available was "localhost, 127.0.0.1".

    I don't have any board of personal website who is using a control panel to log these informations (who is accessing each page, what was the IP address the first time you make a new register, etc.). Because of that I can't answer if there's any way for these people to know my real IP behind TOR. And that is bothering me.

    I am accepting cookies from sites until I close TORPARK. Now my REF CONTROL is blocking all websites (default for websites not listed).

    "Some functionality will be lost, but nothing essential". Some websites can't work without ALL FUNCTIONS allowed by NOSCRIPT. You can't make a new register, sometimes, by blocking all scripts. Sad, but true.

    This TimezoneOffset is one of Javascript functions used by this board, right?

    Could you explain if there's a way to prevent that some apllication is connecting to a remote system which reports my IP address? Perhaps a firewall can do that? And how I know my connection is running via a NAT router? Can you be more specific? I don't know what that means.
     
  13. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    All most of them do is report the address your connection came from - for anyone not using a proxy this would be their "real" IP address. For those using a proxy, the proxy's address would be reported instead.
    All the vBulletin control panel will show is the same IP address that the likes of ShowMyIP or WhatIsMyIP report (along with other information like the last forum page you visited and the user-agent reported by your browser - whether it is Firefox, Opera, IE, etc). This is the bare minimum of information that any website can collect.
    That doesn't apply with this site, in my experience.
    Not that I am aware - however you can easily check for yourself by reviewing every webpage here (right-click and select the View Source/View HTML Source option, depending on your browser and do a search for the function). All it reports though is what timezone your computer is set to.
    I'm not sure what you are asking here. As has been discussed above, an application can't find your "real" IP address without connecting out first to a site that records it (so a personal firewall can certainly stop this by allowing you to block that application from network access in the first place). If that application subsequently tries to transmit the address surreptitiously to a third party, then you can only prevent this by denying it network access (some firewalls offer a "private data" feature where they block traffic containing certain characters like a credit card number or password, but these are of little use since malicious software can encrypt its data).

    Ultimately, if you have an application that you don't trust, don't give it network access and better yet, don't use it in the first place.
    If the IP address reported by sites like WhatIsMyIP differs from your local IP address (open a command prompt and type ipconfig to check this) and your local IP address is of the form 192.168.*.* (which is reserved for private addresses and should never be used on the Internet itself) then you are almost certainly using NAT.
     
  14. Jim Verard

    Jim Verard Registered Member

    Joined:
    Jun 5, 2007
    Posts:
    205
    Let me try to explain what I was asking here, and maybe you can help me find out the answers.

    According to Steve (creator of Xerobank browser),

    "NoScript is in his browser by default. It intercepts java, javascript, and plugins like Flash from loading without your permission.

    When it comes across such scripts, a popup bar appears along the bottom of the page letting you know they are blocked. To enable access, right click on the blocking bar, and you can set it to temporarily or permanently allow those scripts to run.

    Scripts can be dangerous and reveal your identity because they can bypass proxy settings (which is the access to the Tor network.) It does not clean the scripts or make them less dangerous, it simply lets you decide to use them or not."


    I need to allow some sites permanently on NOSCRIPT whitelist in order to use them. Some kinds of boards are not working (if you want to write an answer) without Javascript enabled, since Rich Text Editor is required to use some functions, or make a new register.

    I am able to send you messages here on vbulettin, on this board, however that's not always the case. This is one example. You may find others out there (sites who requires Java/Javascript and Flash Player always enabled on NOSCRIPT whitelist, in order to use them).

    I said on my other topic: Flash Player was not yet installed on my Xerobank browser because my fear is: if this kind of content will be allowed here from now on, my true IP could be revealed somehow. I have the same fear regarding these Javascript functions.

    You said earlier that we can't set permissions for Javascript regarding this leaked IP information, since Javascript is all in cleartext it should not be possible to ignore such bad commands (I am talking about the Internet Service Provider IP, not the proxy IP used by Xerobank).

    So, I guess this information could be sent from my Javascript software installed on my computer directly to the site where the plugin is being executed, and not being sent by Xerobank browser alone. The same information could being sent by Flash Player by itself. I may be able to block both by using my firewall to access directly (and alone) my network. There's another configuration who prevents each application from being executed from another, maybe my firewall can do that either.

    The point is: my browser will be ready to use Javascript and Flash functions after this kind of action?

    Actually, jusched.exe (I guess this is Javascript software) have the following rules (from my firewall):

    Block Inbound and Outbound TCP connections
    Block Inbound and Outbound UDP packets

    Flash Player is not listed here.

    Is that enough?

    Or maybe both are sending this information while you're using Xerobank. I don't know, that's why I need your help to prevent these actions and block all possible attempts to find out my true provider IP, what should I do?

    Xerobank have free clearence here, all rules related to a single browser, such as: DNS Service - Allow Outbound (stream) UDP packets where: port 53 are allowed here.

    I believe my PC is using a modem router, this DSL connection is redirected to 2 computers from my home. You may access the router config and set your username and password, from your ISP, for example. Just type 10.1.1.1 on your browser.

    IPCONFIG, from MS-DOS, is showing this information:

    Ethernet Local connection:

    DNS Sufix: -
    IP address: 10.1.1.3
    Sub-net mask: 255.0.0.0
    Gateway: 10.1.1.1

    The second computer:

    DNS Sufix: -
    IP address: 10.1.1.4
    Sub-net mask: 255.0.0.0
    Gateway: 10.1.1.1

    ISP - IP (example): 220.211.30.4 (my true IP) - Italy
    Proxy IP from Xerobank (variable): 88.331.4.0 - Greece

    My firewall: Kapersky Internet Security 6.0
     
  15. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    In the case of vBulletin forums like this one, it is not necessary to have Javascript enabled. Just ensure that you have selected the Basic Editor in User CP/Edit Options/Miscellaneous Options/Message Editor to avoid having to use the fancy-schmancy RTF one (which may require JS to function).
    If you take the time to check details on this, you'll find that any such "compromise" involves making a separate Internet connection. Solution - block your web browser (and any related plugins or media players) from direct Internet access using your firewall.
    No I didn't say that - I said that (a) Javascript has no means of obtaining your ISP-assigned IP address that I know of and (b) any malware that did obtain this address somehow would likely use encryption to send it (and any other data) to a third party, so don't rely on any "private data" features offered by firewalls to stop this (e.g. ZA's Privacy Vault, Outpost's Private Data Transfer). Essentially, if your system becomes compromised, you cannot rely on an proxy to protect you - but that isn't its job in the first place.
    You seem to be confused over the nature of Javascript - it is not a separate application (like Java or Flash) but instead a script language handled by the browser itself. For that reason, it has no means (again, as far as I know) of bypassing browser restrictions.
    Wrong guess, as a quick Google search would have shown. It is Sun's Java updater so can be blocked (or better yet, stopped from running at startup), but it isn't a major privacy threat.
    10.x.x.x is a private IP address range (as defined in RFC 1597) so if you are using a modem, then your ISP must be using NAT on your behalf.
     
  16. Jim Verard

    Jim Verard Registered Member

    Joined:
    Jun 5, 2007
    Posts:
    205
    Wait! Are you saying the only way to all sites get our true IP from media players is making a direct connection while these players are running (alone?), so, that means if you're running one video from Youtube, for example, and in order to do this you need Flash Player, your browser will save on Flash Player directory all the contents from this site (cached on your hard drive to be running while the browser is open and after that, deleted).

    And then, you will be able to watch this video, with Xerobank's help.

    So, any contents who are blocked on firewall rules who may be a threat our privacy are related to Outbound (stream) TCP connections or packets (if that's true, my Windows Media Player and Real Player are already blocked in my firewall, I just can't find Flash Player) and you may watch these contents with no worries because your computer is not sending back any informations (even by Xerobank), you're just receiving data. Is that correct?

    Please elaborate what "web browser" means, since there's no way to block anything Xerobank is doing or any other regular browsers from executing media players (and if you do that, you will not be able to watch their contents, the same applies for those who blocks all Javascript functions from everyone). I've made some tests here and even if you set Media Player not allowed to be executed, all browsers are chasing DLLs to override this rule.

    Configuring critical applications control rules

    Critical applications are executable files of programs which are extremely important to monitor, since malicious files uses such programs to distribute themselves.

    A list of critical applications, formed by Kaspersky Lab specialists and included into program distribution kit, is given on the Critical applications tab. A monitoring rule is created that regulates the activity of that application. You can edit current rules and create your own.

    Proactive Defense analyzes the following operations involving critical applications: starting them, changing the makeup of application modules, and starting an application as a daughter process. You can select the Proactive Defense reaction to each of the operations listed (allow or block the operation) and also specify whether it is necessary to record activity in the report on component operation. Practically all critical operations are allowed to start, be edited, or started as daughter processes by default.


    OK, I think I found it:

    Java.exe - Windows/System32

    Block - Inbound and Outbond TCP connections
    Block - Inbound and Outbond UDP packets
     
  17. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Or starting a media player/plugin to connect directly - there's no need for the player to be running already.
    You are talking about caching content which isn't an issue - YouTube video access should be done by your browser via the proxy configured for it. It is possible for a site to contain a Flash element that triggers the plugin to attempt to connect directly instead (bypassing any proxy settings) and this is what having strict firewall settings can block. Certain Firefox plugins can have a similar effect (making direct connections, compromising your anonymity) as noted here in the Tor FAQ.

    See also the Tor and Javascript thread for more details.
    If your firewall is configured to prompt you whenever an application first requests access (most are) then not having rules for your Flash player should not be a problem - you will be prompted if it ever tries to connect directly.
    Well, almost every network connection is 2-way - when you download data, you will also send replies back to acknowledge recepit. However the replies will be routed the same way as your initial request, using whatever proxy you have configured.
    I've not used Xerobank so can't comment explicitly on it, but any application they run separately should be controllable via your firewall - browser plugins on the other hand should be affected by the rules configured for your browser. If you configure your firewall to block all network access for your browser except via a proxy and block (or at least, set to prompt) network access for any media players, then that should cover all conceivable exploits.
     
  18. Jim Verard

    Jim Verard Registered Member

    Joined:
    Jun 5, 2007
    Posts:
    205
    Paranoid, do you really think is necessary to download and install this Proxomitron feature in order to prevent some leaked information? I am only using Xerobank, NOSCRIPT and my firewall (kapersky IS 6.0).

    Look what you said here:

    https://www.wilderssecurity.com/showpost.php?p=384351&postcount=13

    These rules prevent browser, Proxomitron or Privoxy from accessing the Internet directly (ensuring that any browser exploit causing a direct connection is blocked). This, in conjunction with the appropriate Proxomitron filters, will prevent any website from using Java or Javascript to discover your real address.

    If that's true and this Proxomitron is really necessary to be downloaded, do you have some link where I can find him and all these recommended filters? Please note, your post was placed two years ago.

    I believed until today Xerobank was capable of do what Privoxy/Proxomitron were doing, and they were some old softwares released before Xerobank and you keep using them even these days for sentimental reasons (I guess this is not the case).

    Please, if you can, look my firewall rules and see if they are correct. I can't do everything you teach me exactly (see my explanation):

    Your post (related to Outpost firewall):

    My Kaperksy firewall is configured this way:

    Tor.exe, TORCIRCUITSTATUS.exe and signal.exe have all the same exactly rules:

    * Block Other Tor Traffic (rule)

    - Block Outbound stream TCP connections.

    * Incoming Tor Request

    - Allow Inbound (stream) TCP connections where:
    Remote IP address: 127.0.0.1
    Local port: 9050

    * Tor Network access

    - Allow Outbound (stream) TCP connections where:
    Remote Port 80, 443, 9001-9004, 9030-9033, 9100

    The same rules specified from Outpost were followed. Nothing to see here (although I don't know if was really necessary to apply them to torcircuitstatus and signal.exe, along with tor.exe).

    Browser Ruleset:.

    Using: Firefox.exe from Xerobank's directory.

    These rules were not followed from your quote:

    * Browser Blocked Hosts: Protocol TCP, Outbound, Remote Host 127.0.0.1, Remote Port HTTP, HTTPS, Block *see note below*

    * Browser Allow Direct Web Access: Protocol TCP, Outbound, Remote Port HTTP, HTTPS, Allow *this rule should be disabled, see below*


    Since they were not necessary, according to your explanation (my HOSTS file is not being required and XEROBANK may surf on any forbidden website specified on that file, unlike Internet Explorer). Also, I don't want to use Xerobank and not being anonymous at all (and then, the second rule is not necessary either, I may use some regular browser in order to not have privacy).

    This rule was created:

    * Browser Block Direct Web Access: Protocol TCP, Outbound, Remote Port HTTP, HTTPS, Block

    However, Kaperksy does not allow you to write HTTP and HTTPS on remote port data. You may specify only numbers, not words.

    This rule on Kapersky is now blocking everything and because of that, the browser is not working, even if you disable TOR.

    Like I said you may only use Remote port if you wish to write numbers, and not HTTP/HTTPS words:

    * Browser Block Direct Web Access: Protocol TCP, Outbound, Block

    The first rule from your browser ruleset is related to Proxomitron. Since I don't have him installed here, I should use the same parameters in order to allow Xerobank to surf on web. My guess.

    * Browser Proxomitron Access: Protocol TCP, Outbound, Remote Host 127.0.0.1, Remote Port 8080, Allow

    Here on Kapersky:

    * Browser Xerobank Access: Protocol TCP, Outbound, Remote Host 127.0.0.1, Remote Port 8080, Allow *

    The problem is, you can't use Xerobank/Firefox if you don't allow Outbound TCP connections.

    So, your browser ruleset is inaccurate. How could you block every outbound streams from being sent from your browser, and after that, create a rule to allow the same thing *? And what about UDP packets?

    This is a paradox. I am sorry, your Browser Ruleset is incomplete or my firewall can't help me in this ocasion (perhaps because he only blocks numbers instead of HTTP/HTTPs protocols).

    I was writing a very simple post before look into your rules for Outpost firewall who may help me to prevent unauthorized connections. My only rule created minutes ago was:

    Allow Inbound and Outbound TCP where:
    Remote IP address: 127.0.0.1


    Remote port was not specified, since your 8080 port from Proxomitron is not being used by TOR (he is using 9050 instead).

    Also:

    Allow Inbound and Outbound UDP packets where:
    Remote IP address: 127.0.0.1


    And based on these 2 rules, Xerobank was able to connect on TOR's proxy and not directly using my ISP-IP to surf on web. Unfortunately, this is not enough, according to your explanations.
     
  19. Jim Verard

    Jim Verard Registered Member

    Joined:
    Jun 5, 2007
    Posts:
    205
    I am sorry for not check this problem first. The first rules from Outpost are also incorrect, if we are talking about TOR/Xerobank.

    Tor Ruleset (your post):

    * Incoming Tor Request: Protocol TCP, Inbound, Remote Host 127.0.0.1, Local Port 9050, Allow

    * Tor Network Access: Protocol TCP, Outbound, Remote Port 80, 443, 9001-9004, 9030-9033, 9100, Allow

    * Block Other Tor Traffic: Protocol TCP, Outbound, Block


    TOR.exe is always trying to connect to different local ports/remote IPs (and not only 8080/9050 and 127.0.0.1) and your configuration do not allow this, which is enough to NOT START Xerobank.

    And I was talking about UDP packets, never mentioned by you. Yes, they are also needed on firewall rules.
     
  20. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Proxomitron is not necessary but it is the most effective web filter available, for those prepared to take the time to learn how it works.
    The combination of Proxomitron, Privoxy and Tor is what I currently consider to the strongest for ensuring online anonymity.
    Proxomitron provides a level of control that is pretty much unique (you could for example, use it to filter out specific Javascript commands) - only Firefox's GreaseMonkey extension can really compare with it.
    They work for me with Tor - I've not used Xerobank though.
    The rules listed will allow most connections for Tor - it should not however require connections to 8080.
    If XeroBank is a combination of browser and Torrify client then it will need Firefox-type Allow rules (possibly a wider range to the loopback address 127.0.0.1). Tor itself does not use UDP by default so should not require rules for it.
     
  21. Jim Verard

    Jim Verard Registered Member

    Joined:
    Jun 5, 2007
    Posts:
    205
    Paranoid, thanks for your help. I think I solve this problem here on Kapersky firewall.

    It was necessary to shutdown all prompts (High Security instead of Training Mode), and they will not appear from now on. So, all connections not permitted by the rules are now blocked.

    This standard action is really required because TOR.exe is always trying to connect many different ways, all the time, even after the browser is running.

    The folllowing rules were created, and Xerobank is working until today.

    TOR.exe

    * Incoming Tor Request

    Allow Inbound (stream) TCP connections where:
    Remote IP address: 127.0.0.1
    Local port: 9050

    * Tor Network Access

    Allow Outboud (stream) TCP connections where:
    Remote port: 80, 443, 9001-9004, 9030-9033, 9100

    Block Other Tor Traffic TCP

    Block Outbound (stream) TCP connections



    TORCIRCUITSTATUS.exe

    Allow Inbound and Outboud (stream) TCP connections
    Allow Inbound and Outboud (stream) UDP packets

    It was necessary to give the circuit status free passage because if the same rules from TOR.exe where used, he will not be able to connect.



    Firefox.exe (Xerobank)

    * Allow TCP activities

    Allow Inbound and Outbound TCP connections where:
    Remote IP address: 127.0.0.1

    Now is not possible to surf on web without TOR button enabled either (this was one of my fears to turn off the button by accident)



    XBBROWSER.exe

    * Block Any TCP Activity

    Block Inbound and Outboud (stream) TCP connections
    Block Inbound and Outboud (stream) UDP packets

    * XBBROWSER was only required to send back status data, for unknown reasons. Firefox.exe from Xerobank's directory is, in fact, what all Xerobank users are using to surf on web.

    And that's all. :)

    Update: Outpost firewall was installed and Kapersky removed. It was possible to follow all your rules exactly. As for the HTTP / HTTPS words, they were just links to the real ports used by these functions (HTTP, for example, uses port 80).
     
    Last edited: Jun 30, 2007
  22. Jim Verard

    Jim Verard Registered Member

    Joined:
    Jun 5, 2007
    Posts:
    205
    Before this thread can't be answered anymore, I need to make a new questions. Please be patient while reading the whole thing. :)

    Speaking of Outpost Firewall only, I am using version 4.0.964.6926 (584). I followed Paranoid's rules regarding the files:

    Firefox.exe (from Xerobank's directory)

    Rule: Browser Block Direct Access

    Tor.exe

    Rules:

    Incoming Tor Request
    Tor Network access
    Block Other Tor Traffic

    The problem is, there's a Anti-leak control section where you have to specify the rules for each software.

    I set these rules:

    Prompt these requests:

    Windows hooks
    DDE intercommunication
    Application window control
    App launch with parameters
    OLE application control

    Allow these requests:

    Critical registry entry

    Blocked requests:

    DNS API request
    App launch with URL

    Dangerous/prompt requests:

    Processo memory injection
    Network driver opening

    Currently, I am following the policy of "Block Most" instead of "Rules Wizard". Maybe it's too dangerous to set rules by default if you want to catch any further unauthorized attempt to make a connection.

    As you can see, I am blocking the "DNS API Request" which is an attempt of a not network-enabled to submit DNS request and "App Launch with URL" with is an application attempt to launch another process with URL as a parameter. All the others options, Outpost is asking me.

    Actually, I checked the DNS cache logs from Outpost and indeed, Tor is not recording any DNS requests according to explanations regarding DNS leaks.

    According to Steve Topletz, XeroBank and TOR doesn't require Privoxy to perform this job and no DNS is leaked to your ISP.

    The problem is, on the exclusion section (from the Anti-leak control), Firefox.exe from XB directory was required, even after these modifications on Outpost rules explained by Paranoid2000. Tor.exe is not listed there (exclusions - Anti Leak control).

    All the options are set to "Use Global" for Firefox.exe (from XB directory), but one of them I needed to modify to allow. :p

    It was exactly the DNS API request. If you don't do that, the browser will not make any connections while using Tor.exe. Is that OK? :)

    I noticed that you talk about not allowing Flash and other plugins to perform direct connections and XB/Firefox to not call any external program. As you can see by typing "about:plugins", all files related to Java applets (or ActiveX?) are DLL files.

    So, the only files which you need to block access to internet are Java.exe, Javaw.exe and Javaws.exe from Windows32/System ?

    From what I can see, they were never required by Firefox while Noscript is allowing that page to use Java/Javascript/Flash. There's also an explanation about Javascript from this thread very useful:

    http://sla.ckers.org/forum/read.php?3,4022

    I just found out this Javascript code which makes that statement true:

    http://stud1.tuwien.ac.at/~e9125168/javas/jhostip.html

    How do I make Firefox not connect to any external programs, using Outpost?

    You see, this is not a simple rule to make any of these programs not connect to internet, but also a rule which will make Firefox not start running other programs.

    There's also one configuration about how Firefox threat any extensions. You may set him to use Quicktime plugin to play the file, or save it to your hard disk for example. You didn't mention them before.

    You spoke about ping and tracert, but how about all plugins already installed on Firefox? How do I know they are not bypassing my firewall rules, even if Firefox is using these rules to block direct access? Because they are inside of Firefox.

    If you could give a clear example of an attempt to make an external call using Firefox, I really appreciate. Your tips were very useful. :thumb:
     
    Last edited: Nov 1, 2007
Loading...
Thread Status:
Not open for further replies.